A new study by a US consumer nonprofit has found that five out of six home routers are inadequately updated for security flaws, leaving the devices, and indirectly their users, vulnerable to hacking.
Carried out by the American Consumer Institute (ACI), the study analyzed a sample of 186 SOHO (small office/home office) Wi-Fi routers from 14 different vendors with a presence on the US market.
ACI experts looked at the firmware version the routers were running and searched public vulnerabilities databases for known security flaws affecting each device's firmware.
"In total, there was a staggering number of 32,003 known vulnerabilities found in the sample," said ACI experts in the study published last week.
"Our analysis shows that of the 186 sampled routers, 155 (83 percent) were found to have vulnerabilities to potential cyberattacks, in the router firmware, with an average of 172 vulnerabilities per router, or 186 vulnerabilities per router for the identified 155 routers," ACI experts said.
Of the total 32,003 security flaws, more than a quarter were vulnerabilities that received the two highest severity ratings of "critical" and "high-risk" respectively.
"Our analysis shows that, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample," researchers said.
These are staggeringly large numbers.
ACI experts said the use of open-source libraries are one of the main reasons for the presence of security flaws in router firmware, as the firmware often inherits the vulnerabilities of its smaller components.
Furthermore, the lack of auto-update mechanisms keeps many of these devices in a vulnerable state, or until a user is reminded to update the firmware, usually after a major router hacking spree, such as the emergence of the Mirai and VPNFilter malware strains.
While some router vendors have started adding auto-update mechanisms to recent models, it will take years until these new versions replace older models, in which time, the older SOHO router models will continue to put users at risk, as well as all IoT devices connected to them.
"Keeping firmware patched for known online threats may be an expense for manufacturers, but not doing so leaves consumers to collectively bear the burden of potentially much higher costs from cybercrime," ACI experts said.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
- Pennsylvania Senate Democrats paid $700,000 to recover from ransomware attack
- Man gets two years in prison for sabotaging US Army servers with 'logic bomb'
- What technical skills is NSA looking for?
- Meet Torii, a new IoT botnet far more sophisticated than Mirai variants
- New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers
- Mirai botnet authors avoid prison after "substantial assistance" to the FBI
- New Virobot malware works as ransomware, keylogger, and botnet
- New XBash malware combines ransomware, coinminer, botnet, and worm features in deadly combo
- California governor signs country's first IoT security law CNET
- Cheat sheet: How to become a cybersecurity pro TechRepublic